Re: Forms based security without cookies?
From: Fouad Daniëls (fouad.daniels@webregio.nl)
Date: 07/26/02
- Next message: Fouad Daniëls: "Forms authentication bug?"
- Previous message: Arild Bakken: "Re: ServerVariables"
- In reply to: Stephen Barrett: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Fouad Daniëls <fouad.daniels@webregio.nl> Date: Fri, 26 Jul 2002 03:36:31 -0700
This will not work. U can't use session variables if the
user does not support cookies. Session var are retriefed
and linked to a specific user using their cookies shich
are set upon creating a session var.
There is no watertight way of identifing users as all
servervariables my provide a way to do so, but ip address
may be grouped as user can reside behind firewalls and
proxies.
So either make your own identification system with the
knowledge it is not watertight. Or have your users enable
cookies. ( I for one hate cookies so good luck with that )
Regards,
Fouad Daniëls
>-----Original Message-----
>Thanks for the link, but it just simply talks about
normal Forms Based
>authentication. This still requires a cookie. I have
read since my
>original post that FormsBased authentication as written
by MS HAS TO HAVE
>cookies to work. If you can't use cookies, you have to
write your own.
>Where would I start to write my own authentication to
work like Forms but
>without the cookie?
>
>I would think the following steps would need to be done:
>1. Trap every request and somehow determine if the user
is authenticated
>2. If not authenticated, redirect to login keeping track
of original URL
>they were wanting
>3. Check uer/password and if valid, set *something* to
know they are
>authenticated
>4. redirect to original page they were requesting
>
>I was going to try something simple like a value in
session object var with
>values of 0 for NOT autheticated and 1 for
authenticated. So, in step 1, I
>would check Session["Authenticated"] for a value of 1.
If it is a 1, then
>let things go as normal. If it is a 0, perform steps
number 2 and 3. In
>step 3, if they pass user/password check, then set Session
["Authenticated"]
>= 1. When the loser finally logs out, then I would
simply set
>Session["Authenticated"] = 0.
>
>Is this secure? What would be the problems?
>
>Anyone have any other ideas?
>
>
>
>"Vladimir Maysuradze" <mvv@ewebcoding.com> wrote in
message
>news:OKgMcvzMCHA.1624@tkmsftngp10...
>> Read this article:
>>
http://www.fawcette.com/vsm/2002_08/online/chester/default.
asp
>>
>> "Stephen Barrett" <stephen_barrett@nospam.aoncons.com>
wrote in message
>> news:eSAszryMCHA.2420@tkmsftngp11...
>> > Is it possible to do forms based security without
actually storing
>cookies
>> > on the client machine? Forms based security looks
like a perfect fit
>for
>> > our application except we have hundreds of users who
have cookies
>disabled
>> > for one reason or another. We authenticate the users
using information
>in
>> a
>> > database, but on machines that have cookies disabled,
the site doesn't
>> work.
>> > We aren't using permanent cookies, just temporary
ones with a 20minute
>> > timeout.
>> >
>> > Is there a way to do what forms based security is
doing without the
>> cookie?
>> > If not, what would you recommend my next step be?
>> >
>> > TIA
>> >
>> >
>>
>>
>
>
>.
>
- Next message: Fouad Daniëls: "Forms authentication bug?"
- Previous message: Arild Bakken: "Re: ServerVariables"
- In reply to: Stephen Barrett: "Re: Forms based security without cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
